Image: Envato
South Korea’s top crypto exchange, Upbit, suffered a major security breach, losing tens of millions of dollars in digital assets just hours after its parent company, Dunamu Inc., unveiled a massive $10.3 billion takeover by tech giant Naver Corp.
The intrusion, which primarily targeted Solana-based tokens, forced Upbit to halt all deposits and withdrawals today (Nov. 27). While the initial estimates of the loss were higher, the exchange revised the figure to approximately 44.5 billion Korean won, about $30 million, based on asset prices at the time of the unauthorized transfer.
The company confirmed that the security failure occurred in one of its “Hot Wallets,” which are used for fast, day-to-day transactions. The more secure cold wallet, which stores the majority of customer assets offline, was not affected.
Abnormal withdrawals were first detected around 4:42 a.m. KST on Nov. 27, 2025, when a basket of assets on the Solana network was moved to an unknown external wallet address. The stolen assets included over 20 tokens, prominently featuring Solana (SOL), USDC, Bonk (BONK), Jupiter (JUP), Render Token (RENDER), Orca (ORCA), and Peace Network (PYTH).
In response, the exchange immediately suspended all transaction services. Upbit also initiated on-chain measures to freeze the stolen funds, successfully freezing approximately 2.3 billion won worth of Solayer (LAYER) tokens.
Oh Kyoung-suk, CEO of Dunamu, addressed users, expressing his deep regret. In an o
Source: https://www.techrepublic.com/article/news-upbit-security-breach/
TPRM report: https://www.rankiteo.com/company/upbit-korea
"id": "upb1764339322",
"linkid": "upbit-korea",
"type": "Breach",
"date": "2025-11-27T00:00:00.000Z",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'incident': {'affected_entities': [{'customers_affected': None,
'industry': 'financial services '
'(blockchain/crypto)',
'location': 'South Korea',
'name': 'Upbit',
'size': None,
'type': 'cryptocurrency exchange'}],
'attack_vector': ['compromised hot wallet',
'unauthorized external transfer'],
'customer_advisories': ['public apology by CEO Oh Kyoung-suk',
'notification of service suspension'],
'data_breach': {'data_encryption': None,
'data_exfiltration': None,
'file_types_exposed': None,
'number_of_records_exposed': None,
'personally_identifiable_information': None,
'sensitivity_of_data': None,
'type_of_data_compromised': None},
'date_detected': '2025-11-27T04:42:00+09:00',
'date_publicly_disclosed': '2025-11-27',
'description': 'South Korea’s top crypto exchange, Upbit, '
'suffered a major security breach, losing '
'approximately 44.5 billion Korean won (~$30 '
'million) in digital assets, primarily '
'Solana-based tokens. The breach targeted one of '
"Upbit’s 'Hot Wallets,' used for day-to-day "
'transactions, while the more secure cold wallet '
'remained unaffected. The incident occurred just '
'hours after Upbit’s parent company, Dunamu Inc., '
'announced a $10.3 billion takeover by Naver '
'Corp. Abnormal withdrawals were detected at 4:42 '
'a.m. KST on Nov. 27, 2025, involving over 20 '
'tokens, including SOL, USDC, BONK, JUP, RENDER, '
'ORCA, and PYTH. Upbit suspended all transaction '
'services and froze ~2.3 billion won worth of '
'Solayer (LAYER) tokens on-chain.',
'impact': {'brand_reputation_impact': 'high (public apology by '
'CEO, breach during '
'high-profile acquisition)',
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': None,
'downtime': {'end_time': None,
'services_affected': ['deposits',
'withdrawals',
'all transaction '
'services'],
'start_time': '2025-11-27T04:42:00+09:00'},
'financial_loss': {'amount': '44.5 billion KRW (~$30 '
'million USD)',
'assets_stolen': ['Solana (SOL)',
'USDC',
'Bonk (BONK)',
'Jupiter (JUP)',
'Render Token '
'(RENDER)',
'Orca (ORCA)',
'Peace Network '
'(PYTH)',
'Solayer (LAYER, '
'partially '
'frozen: ~2.3 '
'billion KRW)'],
'currency': ['KRW', 'USD']},
'identity_theft_risk': None,
'legal_liabilities': None,
'operational_impact': 'full suspension of '
'deposit/withdrawal services',
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': ['hot wallet (Solana-based '
'tokens)']},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': 'hot wallet (Solana '
'network)',
'high_value_targets': ['Solana-based '
'tokens (SOL, '
'USDC, BONK, '
'etc.)'],
'reconnaissance_period': None},
'investigation_status': 'ongoing (initial containment phase)',
'motivation': 'financial gain',
'post_incident_analysis': {'corrective_actions': None,
'root_causes': None},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'references': [{'date_accessed': None,
'source': 'Envato (image attribution)',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': None},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': ['public statement by CEO '
'Oh Kyoung-suk '
'expressing regret',
'transparency about '
'revised loss estimates'],
'containment_measures': ['suspension of all '
'deposit/withdrawal '
'services',
'on-chain freezing of ~2.3 '
'billion KRW worth of '
'Solayer (LAYER) tokens'],
'enhanced_monitoring': None,
'incident_response_plan_activated': True,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': None,
'third_party_assistance': None},
'title': 'Upbit Security Breach Resulting in $30 Million Loss of '
'Solana-Based Tokens',
'type': ['cryptocurrency theft',
'unauthorized transaction',
'hot wallet compromise']}}